Kernel DMA Protection
Kernel Direct Memory Access (DMA) Protection is a security feature in Windows designed to prevent unauthorized access to memory by external peripherals.
Kernel DMA Protection requires UEFI firmware support, and Virtualization-based Security (VBS) isn’t required.
How to Plan and Manage a Hardening Project
Kernel DMA protection on or off?
Kernel DMA Protection offers enhanced security measures for the system compared to the countermeasures against BitLocker DMA attacks, all while preserving the usability of external peripherals.
Disabling Kernel DMA Protection may be required for certain hardware that needs unrestricted access. However, it’s essential to understand the security risks involved before making this change.
To Disable Kernel DMA Protection
To disable Kernel DMA Protection, follow these steps:
Via Windows Settings
- Press Windows + I to open Settings.
- Navigate to Privacy & Security > Windows Security > Open Windows Security.
- Go to Device Security > Core Isolation Details.
- Under Memory Access Protection, toggle the switch to Off. Enter your administrator credentials if prompted.
- Restart your system for the changes to apply.
Via BIOS (if the above method doesn’t work):
- Restart your PC and press the appropriate key (varies by manufacturer, e.g., F2, F10, or DEL) to access the BIOS setup.
- In the BIOS menu, go to the Security tab.
- Locate Kernel DMA Protection and set it to Disabled.
- Save changes and exit the BIOS.
Refer to your PC manufacturer’s manual for specific instructions, as BIOS layouts differ across devices.
Via GPO
To establish the recommended configuration via GP, set the following UI path to Enabled: Block All:
| Computer ConfigurationPoliciesAdministrative TemplatesSystemKernel DMA ProtectionEnumeration policy for external devices incompatible with Kernel DMA Protection |
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DmaGuard.admx/adml that is included with the Microsoft Windows 10 Release 1809 & Server 2019 Administrative Templates (or newer).
Enumeration policy for external devices incompatible with Kernel DMA Protection
This policy aims to enhance security measures against external DMA-capable devices by offering increased control over the enumeration of such devices that may not support DMA Remapping or device memory isolation and sandboxing.
Note: This policy does not apply to 1394, PCMCIA or ExpressCard devices. The protection also only applies to Windows 10 R1803 or higher, and also requires a UEFI BIOS to function.
Note #2: More information on this feature is available at this link: Kernel DMA Protection for Thunderbolt™ 3 (Windows 10) | Microsoft Docs.
DMA Attacks and Kernel DMA Protection
DMA attacks exploit hardware functionality to bypass CPU controls and access system memory directly, potentially compromising sensitive data or taking control of the system.
How DMA Attacks Work
DMA allows devices to access memory without CPU involvement. Windows uses the IOMMU to block unauthorized peripherals unless their drivers support memory isolation (e.g., DMA-remapping). Kernel DMA Protection mitigates drive-by DMA attacks post-OS initialization, while firmware/BIOS must secure against attacks during boot via ports like Thunderbolt 3.
Examples of DMA Attacks
- FireWire (IEEE 1394): Attackers use malicious FireWire devices to access system memory directly.
- Thunderbolt: Exploits Thunderbolt’s DMA capabilities to access memory and compromise the system.
- GPU DMA: Vulnerable GPU drivers or firmware may allow attackers to misuse GPUs for unauthorized memory access.
Understanding these risks is essential for implementing proper safeguards.
Enable Kernel DMA Protection
Systems compatible with Kernel DMA Protection will activate the feature automatically, without any need for user or IT admin configuration.
You can verify whether Kernel DMA Protection is enabled using the Windows Security settings.
- Open Windows Security.
- Select Device security > Core isolation details > Memory access protection
(reference: Microsoft, Kernel DMA Protection)
Alternatively, you can use the System Information desktop app (msinfo32.exe). If the system supports Kernel DMA Protection, the Kernel DMA Protection value will be set to ON.
(reference: Microsoft, Kernel DMA Protection)
If the current state of Kernel DMA Protection is OFF and Hyper-V – Virtualization Enabled in Firmware is NO:
- Reboot into UEFI settings
- Turn on Intel Virtualization Technology
- Turn on Intel Virtualization Technology for I/O (VT-d)
- Reboot system into Windows
Hardening Kernel DMA Protection
Hardening Kernel DMA Protection refers to the process of enhancing the security of a system’s Direct Memory Access (DMA) by implementing measures to prevent unauthorized access to the system’s memory.
Automating the hardening process offers several advantages, making it the preferred approach for enhancing system security:
- Manual configuration is prone to human error, which can leave systems vulnerable if proper settings are not applied consistently across the infrastructure.
- Automation ensures that hardening measures like enabling IOMMU, disabling unnecessary DMA-capable interfaces, and applying least privilege mappings are implemented uniformly and reliably.
- Automated processes can be triggered during system provisioning, updates, or on a recurring schedule to maintain the desired security posture.
- Automation also simplifies the management and auditing of DMA protection policies, making it easier to validate compliance across a large number of systems.
Remember, hardening Kernel DMA Protection isn’t just an option, it’s an essential step in securing your digital domain. So, take charge and build a stronger, more resilient system today.
